By using AWS re:Post, you agree to the Terms of Use

AWS API Gateway private integration with mutual TLS

0

Is mutual TLS supported with private resource integration in HTTP API gateway? I created HTTP integration that routes traffic into private ALB's HTTP listener. After that I implemented mutual TLS by using this quide: https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ While testing certificate authentication I created second set of certificates and used second set's client key and pem to authenticate successfully against first sets keystore. This is behavior should not be possible. With this configuration api gateway demands, that clients sends certificate and key, but never verifies them against specified truststore. Tested this setup by switching private integration to lambda integration and TLS operated like it should, by verifying the certificate against truststore.

How to reproduce:
-create HTTP API gateway API with lambda integration (used ANY /)
-create custom domain for the API, with mutual TLS enabled and default endpoint disabled
-create 2 set of certificates and client keys
-TLS should check the validity of the client certificate and prevent mixing certificates between sets
-switch lambda integration to private alb integration with HTTP listener
-test TLS again by mixing certificates
-API gateway accepts mixed certificates
-As an side effect in this configuration gateway ignores the default endpoint disable setting and enables bypassing the TLS completely.

1 Answers
1

As per the doc (https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html), private APIs don't support mutual TLS.

In order to do that, you would need something like: Client -> NLB -> Proxy (to handle mTLS) -> interface VPC endpoint for API Gateway -> private API

You can have a look at this blog post: https://aws.amazon.com/pt/blogs/aws-brasil/suportando-mutual-tls-mtls-utilizando-certificados-do-icp-brasil-para-o-open-banking-no-brasil-utilizando-o-amazon-api-gateway/, it's in Portuguese but you will see the architecture, and can probably translate.

answered 8 months ago
EXPERT
reviewed 8 months ago
  • I'm aware that mutual TLS for private API gateways are not supported, but in my case I'm using public API gateway with VPC link. Shouldn't this configuration be supported, as only difference between functional and nonfunctional configurations is to swap lambda integration with VPC link integration?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions